All: One of the people I reached out to about SASP mentioned this:
https://github.com/fedora-static-analysis/firehose . It seems to be moribund - no activity since mid 2017. I haven't looked closely enough to tell if there is anything to be learned. I'm tempted to add an issue to it that points readers to SARIF. -Paul -- Paul Anderson, VP of Engineering, GrammaTech, Inc. 531 Esty St., Ithaca, NY 14850 Tel: +1 607 273-7340 x118;
http://www.grammatech.com